Introduction

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

This information in this document is based on Cisco IOS-XR® and ASR 9000.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Background Information

When you know the origin of an attack (for example, by an analysis of NetFlow data), you can apply containment mechanisms, such as Access Control Lists (ACLs). When attack traffic is detected and classified, you can create and deploy appropriate ACLs to the necessary routers. Because this manual process can be time-consuming and complex, many people use Border Gateway Protocol (BGP) in order to propagate drop information to all routers quickly and efficiently. This technique, RTBH, sets the next hop of the victim's IP address to the null interface. Traffic destined to the victim is dropped on ingress into the network.

Another option is to drop traffic from a particular source. This method is similar to the drop described previously but relies on the previous deployment of Unicast Reverse Path Forwarding (uRPF), which drops a packet if its source is "invalid," which includes routes to null0. With the same mechanism of the destination-based drop, a BGP update is sent, and this update sets the next hop for a source to null0. Now all traffic that enters an interface with uRPF enabled drops traffic from that source.

Source-based RTBH Filtering on the ASR9000

When the feature uRPF is enabled on the ASR9000, the router is unable to do recursive lookup to null0. This means that the Source-based RTBH Filtering configuration used by Cisco IOS cannot directly be used by Cisco IOS-XR on the ASR9000. As an alternative, the Routing Policy Language (RPL) set next-hop discard option (introduced in Cisco IOS XR Version 4.3.0) is used.

Configure

Configuration on the Trigger Router

Configure a static route redistribution policy that sets a community on static routes marked with a special tag, and apply it in BGP: